Version:

Version:

Version:

Version:


Table of Contents

FortiGate-7000F Handbook

Download PDF
Copy Link

FPM-7620F processing module

The FPM-7620F processor module is a high-performance worker module that processes sessions load balanced to it by FIMs over the chassis fabric backplane. The FPM-7620F includes two 400Gbps data connections to the FIMs over the chassis fabric backplane and two 50Gbps management connections to the FIMs over base backplane. FPM-7620Fs are installed in chassis slots 3 and up.

The FPM-7620F also includes two front panel 400GigE QSFP-DD fabric channel data interfaces (1 and 2) and eight 10/25GigE SFP28 fabric channel data interfaces (3 to 10). Interfaces 1 and 2 can be connected to 400Gbps data networks. Interfaces 3 to 10 can be connected to 25Gbps data networks. You an also change the speeds of the front panel data interfaces.

FPM fabric channel data interfaces increase the number of data interfaces supported by FortiGate-7000F. Data traffic received by these interfaces is sent over the fabric backplane to the FIM NP7 processors to be load balanced back to the FPMs.

The FPM-7620F processes sessions using a dual CPU configuration, accelerates network traffic processing with two NP7 processors and accelerates content processing with eight CP9 processors. The NP7 network processors are connected by the FIM switch fabric so all supported traffic types can be fast path accelerated by the NP7 processors.

FPM-7620F front panel

FPM-7620F front panel interfaces

You can connect the FPM-7620F to your networks using the front panel fabric channel data interfaces described in the following table. You can create link aggregation groups (LAGs) that can include data interfaces from multiple FIMs and FPMs in the same chassis.

Connector Type Speed Protocol Description
1 and 2 QSFP-DD

400Gbps

100Gbps

40Gbps

4 x 100Gbps (split)

4 x 25Gbps (split)

4 x 10Gbps (split)

Ethernet Two front panel 400GigE QSFP-DD fabric channel data interfaces can be connected to 400Gbps data networks to distribute sessions to the FPMs in chassis slots 3 and up. These interfaces can also operate as 100GigE QSFP28 or 40GigE QSFP+ interfaces. If the FortiGate-7000F includes two FIM-7941Fs, these interfaces can be split into four interfaces that can operate at 100Gbps, 25Gbps, or 10Gbps.

3 to 10

SFP28

25Gbps

10Gbps

Ethernet

Eight front panel 25GigE SFP28 fabric channel data interfaces that can be connected to 25Gbps data networks to distribute sessions to the FPMs in chassis slots 3 and up. These interfaces can also operate as 10GigE SFP+ interfaces.

MGMT RJ-45

10Mbps

100Mbps

1000Mbps

Ethernet 10/100/1000BASE-T copper out of band management ethernet interface.

Changing the FPM-7620F 1 and 2 (P1 and P2) interfaces

You can make following changes to the 1 and 2 (P1 and P2) interfaces:

  • Change the interface speed to 400G, 100G, or 40G using the config system interface command.

  • Change the interface type to 100GigE QSFP28.

When the FPM-7620F is installed in a FortiGate-7000F with two FIM-7941Fs, you can also make the following changes:

  • Split the interface into four 100GigE CR2 interfaces.

  • Split the interface into four 25GigE CR or 10GigE SR interfaces.

All of these operations, except changing the interface speed using the config system interface command, require a system restart. Fortinet recommends that you perform these operations during a maintenance window and plan the changes to avoid traffic disruption. For example, you can change interface types and split interfaces as a single operation.

Note

You should change interface types or split interfaces on both FortiGate-7000Fs before forming an FGCP HA cluster. If you decide to change interface type or split interfaces after forming a cluster, you need to remove the backup FortiGate-7000F from the cluster and change interfaces as required on both FortiGate-7000Fs separately. After the FortiGate-7000Fs restart, you can re-form the cluster. This process will cause traffic interruptions.

Changing the P1 or P2 interface type to 100GigE QSFP28

You can use the following command to convert the P1 or P2 interface to a 100GigE QSFP28 interface. To change the interface type of P1 of the FPM-7620F in slot 4 (4-P1) and P2 of the FPM-7620F in slot 6 (6-P2) enter the following command:

config system global

set qsfpdd-100g-port 4-P1 6-P2

end

The FortiGate-7000F reboots and when it starts up interface 4-P1 and 6-P2 are operating as 100GigE QSFP28 interfaces.

Splitting the P1 or P2 interfaces into four 100GigE CR2 interfaces

When the FPM-7620F is installed in a FortiGate-7000F with two FIM-7941Fs, you can use the following command to split the P1 or P2 interfaces into four 100GigE CR2 interfaces. To split P1 of the FPM-7620F in slot 6 (6-P1) and P2 of the FPM-7620F in slot 7 (7-P2) enter the following command:

config system global

set split-port 6-P1 7-P2

end

The FortiGate-7000F reboots and when it starts up:

  • Interface 6-P1 has been replaced by four 100GigE CR2 interfaces named 6-P1/1 to 6-P1/4.

  • Interface 7-P2 has been replaced by four 100GigE CR2 interfaces named 7-P2/1 to 7-P2/4.

Splitting the P1 or P2 interfaces into four 25GigE CR or 10GigE SR interfaces

When the FPM-7620F is installed in a FortiGate-7000F with two FIM-7941Fs, you can use the following command to split the P1 or P2 interfaces into four 25GigE CR interfaces. The following command converts the interface into a 100GigE QSFP28 interface then splits this interface into four 25 GigE CR interfaces. To split P1 of the FPM-7620F in slot 8 (8-P1) and P2 of the FPM-7620F in slot 9 (9-P2) enter the following command:

config system global

set qsfpdd-100g-port 8-P1 9-P2

set split-port 8-P1 9-P2

end

The FortiGate-7000F reboots and when it starts up:

  • Interface 8-P1 has been replaced by four 25GigE CR interfaces named 8-P1/1 to 8-P1/4.

  • Interface 9-P2 has been replaced by four 25GigE CR interfaces named 9-P2/1 to 9-P2/4.

If you want some or all of these interfaces to operate as 10GigE SR interfaces you can use the config system interface command to change the interface speed. You can change the speed of some or all of the individual split interfaces depending on whether the transceiver installed in the interface slot supports different speeds for the split interfaces.

FPM-7620E hardware schematic

The two FPM-7620F NP7 network processors provide hardware acceleration by offloading data traffic from the FPM-7620F CPUs. The result is enhanced network performance provided by the NP7 processors plus the network processing load is removed from the CPU. The NP7processor can also handle some CPU intensive tasks, like IPsec VPN encryption/decryption. Because of the integrated switch fabric, all sessions are fast-pathed and accelerated.

Traffic from FPM-7620F front panel data interfaces is sent over the fabric channel backplane to the FIMs where NP7 processors use SLBC to distribute sessions to individual FPMs. The FPM-7620F can be processing traffic received from FIM data interfaces and from FPM data interfaces.

FPM-7620F hardware architecture

 

FPM-7620F processing module

The FPM-7620F processor module is a high-performance worker module that processes sessions load balanced to it by FIMs over the chassis fabric backplane. The FPM-7620F includes two 400Gbps data connections to the FIMs over the chassis fabric backplane and two 50Gbps management connections to the FIMs over base backplane. FPM-7620Fs are installed in chassis slots 3 and up.

The FPM-7620F also includes two front panel 400GigE QSFP-DD fabric channel data interfaces (1 and 2) and eight 10/25GigE SFP28 fabric channel data interfaces (3 to 10). Interfaces 1 and 2 can be connected to 400Gbps data networks. Interfaces 3 to 10 can be connected to 25Gbps data networks. You an also change the speeds of the front panel data interfaces.

FPM fabric channel data interfaces increase the number of data interfaces supported by FortiGate-7000F. Data traffic received by these interfaces is sent over the fabric backplane to the FIM NP7 processors to be load balanced back to the FPMs.

The FPM-7620F processes sessions using a dual CPU configuration, accelerates network traffic processing with two NP7 processors and accelerates content processing with eight CP9 processors. The NP7 network processors are connected by the FIM switch fabric so all supported traffic types can be fast path accelerated by the NP7 processors.

FPM-7620F front panel

FPM-7620F front panel interfaces

You can connect the FPM-7620F to your networks using the front panel fabric channel data interfaces described in the following table. You can create link aggregation groups (LAGs) that can include data interfaces from multiple FIMs and FPMs in the same chassis.

Connector Type Speed Protocol Description
1 and 2 QSFP-DD

400Gbps

100Gbps

40Gbps

4 x 100Gbps (split)

4 x 25Gbps (split)

4 x 10Gbps (split)

Ethernet Two front panel 400GigE QSFP-DD fabric channel data interfaces can be connected to 400Gbps data networks to distribute sessions to the FPMs in chassis slots 3 and up. These interfaces can also operate as 100GigE QSFP28 or 40GigE QSFP+ interfaces. If the FortiGate-7000F includes two FIM-7941Fs, these interfaces can be split into four interfaces that can operate at 100Gbps, 25Gbps, or 10Gbps.

3 to 10

SFP28

25Gbps

10Gbps

Ethernet

Eight front panel 25GigE SFP28 fabric channel data interfaces that can be connected to 25Gbps data networks to distribute sessions to the FPMs in chassis slots 3 and up. These interfaces can also operate as 10GigE SFP+ interfaces.

MGMT RJ-45

10Mbps

100Mbps

1000Mbps

Ethernet 10/100/1000BASE-T copper out of band management ethernet interface.

Changing the FPM-7620F 1 and 2 (P1 and P2) interfaces

You can make following changes to the 1 and 2 (P1 and P2) interfaces:

  • Change the interface speed to 400G, 100G, or 40G using the config system interface command.

  • Change the interface type to 100GigE QSFP28.

When the FPM-7620F is installed in a FortiGate-7000F with two FIM-7941Fs, you can also make the following changes:

  • Split the interface into four 100GigE CR2 interfaces.

  • Split the interface into four 25GigE CR or 10GigE SR interfaces.

All of these operations, except changing the interface speed using the config system interface command, require a system restart. Fortinet recommends that you perform these operations during a maintenance window and plan the changes to avoid traffic disruption. For example, you can change interface types and split interfaces as a single operation.

Note

You should change interface types or split interfaces on both FortiGate-7000Fs before forming an FGCP HA cluster. If you decide to change interface type or split interfaces after forming a cluster, you need to remove the backup FortiGate-7000F from the cluster and change interfaces as required on both FortiGate-7000Fs separately. After the FortiGate-7000Fs restart, you can re-form the cluster. This process will cause traffic interruptions.

Changing the P1 or P2 interface type to 100GigE QSFP28

You can use the following command to convert the P1 or P2 interface to a 100GigE QSFP28 interface. To change the interface type of P1 of the FPM-7620F in slot 4 (4-P1) and P2 of the FPM-7620F in slot 6 (6-P2) enter the following command:

config system global

set qsfpdd-100g-port 4-P1 6-P2

end

The FortiGate-7000F reboots and when it starts up interface 4-P1 and 6-P2 are operating as 100GigE QSFP28 interfaces.

Splitting the P1 or P2 interfaces into four 100GigE CR2 interfaces

When the FPM-7620F is installed in a FortiGate-7000F with two FIM-7941Fs, you can use the following command to split the P1 or P2 interfaces into four 100GigE CR2 interfaces. To split P1 of the FPM-7620F in slot 6 (6-P1) and P2 of the FPM-7620F in slot 7 (7-P2) enter the following command:

config system global

set split-port 6-P1 7-P2

end

The FortiGate-7000F reboots and when it starts up:

  • Interface 6-P1 has been replaced by four 100GigE CR2 interfaces named 6-P1/1 to 6-P1/4.

  • Interface 7-P2 has been replaced by four 100GigE CR2 interfaces named 7-P2/1 to 7-P2/4.

Splitting the P1 or P2 interfaces into four 25GigE CR or 10GigE SR interfaces

When the FPM-7620F is installed in a FortiGate-7000F with two FIM-7941Fs, you can use the following command to split the P1 or P2 interfaces into four 25GigE CR interfaces. The following command converts the interface into a 100GigE QSFP28 interface then splits this interface into four 25 GigE CR interfaces. To split P1 of the FPM-7620F in slot 8 (8-P1) and P2 of the FPM-7620F in slot 9 (9-P2) enter the following command:

config system global

set qsfpdd-100g-port 8-P1 9-P2

set split-port 8-P1 9-P2

end

The FortiGate-7000F reboots and when it starts up:

  • Interface 8-P1 has been replaced by four 25GigE CR interfaces named 8-P1/1 to 8-P1/4.

  • Interface 9-P2 has been replaced by four 25GigE CR interfaces named 9-P2/1 to 9-P2/4.

If you want some or all of these interfaces to operate as 10GigE SR interfaces you can use the config system interface command to change the interface speed. You can change the speed of some or all of the individual split interfaces depending on whether the transceiver installed in the interface slot supports different speeds for the split interfaces.

FPM-7620E hardware schematic

The two FPM-7620F NP7 network processors provide hardware acceleration by offloading data traffic from the FPM-7620F CPUs. The result is enhanced network performance provided by the NP7 processors plus the network processing load is removed from the CPU. The NP7processor can also handle some CPU intensive tasks, like IPsec VPN encryption/decryption. Because of the integrated switch fabric, all sessions are fast-pathed and accelerated.

Traffic from FPM-7620F front panel data interfaces is sent over the fabric channel backplane to the FIMs where NP7 processors use SLBC to distribute sessions to individual FPMs. The FPM-7620F can be processing traffic received from FIM data interfaces and from FPM data interfaces.

FPM-7620F hardware architecture